Office 365 ADFS Proxy Role a requirement for Single Sign On?

2017-12-08T13:21:23+00:00 June 18th, 2013|Office 365|

Hi All,

A couple of times I have been asked the question by customers if the Active Directory Federation Services Proxy role is a requirement for implementing Office 365?

The short answer to this question is no. It is not a requirement as the internal ADFS servers can be published on the Internet and can service the requests for Office 365 single sign on port 443.

The reason that it is a recommendation is that the ADFS Proxy Role means that your internal ADFS servers, that need to be joined to the domain, are not exposed to the Internet as the proxy servers do not need to be joined to the domain.

In addition it can become much easier to put in access policy rules such as blocking all external access to Office 365 except for web browser access. Other 3rd party proxy tools can also be used as long as they can perform the following:

1. Send an HTTP header named x-ms-proxy. The value of this header should be the DNS name of the proxy host.
2. Send an HTTP header named x-ms-endpoint-absolute-path. The value of this header should be set to the name of the proxy endpoint that received the request.

Hope this helps.

Cheers

Paul